0b9e90ec65521f009af7ebd8e75f21b152f511fab64d1da1ea50c47108a4f927

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd16feb8afaf233a42210718585bd50N.exe
Size

69KB
MD5

6bd16feb8afaf233a42210718585bd50
SHA1

ff4f241fec7bc9fb78e9113dc810c5612e084de9
SHA256

0b9e90ec65521f009af7ebd8e75f21b152f511fab64d1da1ea50c47108a4f927
SHA512

3783545b2ccfaf43de7832d0fe1dbcab7fa1b0481a9fd6110a29dec86db266de9f3b739884147e0cb03b5694687e3041d18e7cdc40d62fbeecb7675c3f1be6c1
SSDEEP

1536:W7ZNLpApCZrt8PWGoPWGANdN+hEwHwDvZvG:6NLWpCZIzjwHwU

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3278) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\London.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Internet Explorer\jsprofilerui.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\bin\mlib_image.dll.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Tijuana.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\chkrzm.exe.mui.tmp	6bd16feb8afaf233a42210718585bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo.tmp	6bd16feb8afaf233a42210718585bd50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bd16feb8afaf233a42210718585bd50N.exe

C:\Users\Admin\AppData\Local\Temp\6bd16feb8afaf233a42210718585bd50N.exe
"C:\Users\Admin\AppData\Local\Temp\6bd16feb8afaf233a42210718585bd50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
70KB

MD5
fa53bae5a1b1095564d197cdbd0f971c

SHA1
185e79bc24956b71f9ae9e8db0cf3d5b6427a64d

SHA256
4e760026d5c1df913387fcfcdfb5ace343e67ce69fadd4771f23ad43dc39d000

SHA512
ea68314d2332d97138cd3362f9098a1245f8e3df1521a0feaaff4bb4adbc147e0be9d0104da3b22edbbfb2148c0a10b3bdf7894f31923212300eeb674daaeffe

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
78KB

MD5
ee8506aae599d82859cb3cf30ff2b5a8

SHA1
c89b7c16e7545cb644dc18c5f33cc69631bcf801

SHA256
737fd9d45b3b46640b2e7e69c57679ae44fae48453a225cdeae6d634083d9ca0

SHA512
e8d231ce2b177f847a4f5802427c0d5563d4257bdfcee998b6fb7e9cd589c984129f47808f569923cfadc5cdb21a46aff5e529d35723277d4c1f15a99232c08e

Download Submit